> The other point to bear in mind is that we won't know whether there is a limit to quantum entanglement until we encounter it.

That’s true, but...

> There is no law of physics that states we must be able to form arbitrarily complex superpositions of quantum states. That is an assumption in our current models of physics.

That’s not quite true. (Or perhaps it’s more correct to say that it’s true, but misleading.) It’s true in the same sense that the speed of light being a constant is the same in all reference frames is an “assumption.” The evidence that this is correct is overwhelming, and the evidence that quantum mechanics applies to arbitrarily large systems of entangled states is likewise overwhelming. All attempts to find an experimental regime where quantum mechanics fails have failed. If you seek solace against the possibility of cryptographic keys falling to quantum computers you are better off looking for it in engineering constraints than in the prospect of discovering new physics.

"All attempts to find an experimental regime where quantum mechanics fails have failed"

That is not remotely true. We still haven't figured out how to make gravity work.

Let me be more precise then: QM has been experimentally demonstrated with objects up to 10,000 AMU mass [https://arxiv.org/abs/1310.8343]. The smallest gravitational field that has ever been measured (AFAICT) was produced by a mass of ~10^22 AMU [http://jetp.ac.ru/cgi-bin/dn/e_067_10_1963.pdf] (~100 mg). That’s a gap of 17 orders of magnitude. It is known that QM and GR are mathematically incompatible with each other, so somewhere in that gap one or the other of the two theories has to give. But all attempts to find an experimental regime where either theory can be demonstrated to fail have failed, and all attempt to determine whether it is QM or GR that has to give have also failed.

All I’m saying is that, given the above facts, betting the future of digital security on the hypothesis that QM fails before it gets to the point where you can implement Shor’s algorithm is unwise.

Personally, my money is on gravity being quantized, and also that to demonstrate this requires a field strength on the order of what is found near the event horizon of a black hole, so we’re unlikely to see this question definitively settled in a laboratory any time soon.

More relevantly, what exactly do we mean by decoherence? what exactly is it that causes it?

That has been well understood for decades now. The seminal papers on decoherence were published in 1970. For an accessible layman’s account I recommend David Z. Alberts excellent book, “Quantum Mechanics and Experience”, chapter 5. The short version of the story is that a system decoheres if any of its degrees of freedom become entangled with anything outside of the system (and note that entanglement is not an all-or-nothing phenomenon. Entanglement is a continuum.) When that happens, the system considered in isolation is no longer in a pure state and can no longer self-interfere. The more degrees of freedom a system has, the harder it becomes as a practical matter to keep all of them isolated from (i.e. prevent them from becoming entangled with) their environment. It really is just as simple as that.

The assumption here seems to be that the only reason to build quantum computers is to break RSA.

No, the assumption is that breaking RSA will be catastrophic, and so the prospect of developing QC is a cause for concern in the context of a discussion list dedicated to cryptography. I certainly never meant to imply that that’s the *only* reason anyone should care about quantum computing, but it’s certainly *a* reason.

This is science, not engineering. I used to do experimental particle physics so it is science I am somewhat familiar with. But it is still not engineering and unlikely to be for another decade or two if ever.

Yes, I’m not denying that. All I’m saying is that *if* there turns out to be a insurmountable obstacle to breaking crypto with QC, that obstacle is more likely to be an engineering limitation than a scientific one.